Jump to content
Login new information ×
Login new information

Microsoft warns of zero-day hole for XP, Windows 2000 and Server 2003

DKT27

By DKT27
in Security & Privacy News

Recommended Posts

  • Administrator
DKT27

DKT27

Posted
  • Administrator
Posted

Microsoft warned of a new hole on Monday that could be exploited by attackers to take control of older Windows systems running Internet Explorer and for which proof-of-concept exploit code has been released publicly.

The vulnerability affects Windows 2000-, XP- and Server 2003-based systems. It exists in the way that Visual Basic Scripting, or VBScript, interacts with Windows Help files, Microsoft said in its security advisory. VBScript is an Active Scripting language for executing functions embedded in Web pages.

In an attack scenario, victims would somehow be lured to visit a malicious Web site that displays a specially crafted dialog box, Microsoft said. The box could prompt visitors to press the F1 key, which would install malware on the visitor's computer when pressed. The F1 key is used to bring up the help function.

Windows Vista, Windows 7, and Windows Server 2008 are not affected. The issue is mitigated on Windows Server 2003, where IE Enhanced Security Configuration is enabled by default.

The advisory includes several workarounds, including advice to avoid pressing the F1 key when prompted by a Web site, restricting access to the Windows Help System, setting Internet and Local intranet security zone settings to "high" to block ActiveX Controls and Active Scripting, and configuring IE to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone.

Microsoft complained in its advisory and a statement that the vulnerability was not responsibly disclosed. The hole was revealed on Friday and proof-of-concept code was released by iSEC Security Research.

Anyone believed to have been affected by the hole can visit Microsoft's Consumer Security Support Center Web site.

Source

Link to comment
Share on other sites
  • Replies 3
  • Views 1.3k
  • Created
  • Last Reply
  • Administrator
DKT27

DKT27

Posted
  • Author
  • Administrator
Posted

This time M$ tries to make people feel that they should buy the latest Windows, but never kick IE. :P

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...